InfoSec heavies weigh in on what the 9th Data Privacy Day taught us

Today marks the ninth annual Data Privacy Day; the purpose of which is to raise public awareness and advocate data protection and privacy best practices.Over the last year we’ve seen many high profile breaches, which involved eBay, JPMorgan, and most recently Sony Pictures Entertainment – so it is very clear that now more than ever that both individuals and companies need to be incredibly aware of the dangers that come as a result of neglecting data protection.Here is what some of the industry’s thought leaders have to say on Data Privacy Day:

“A reactive approach to security breaches just won’t cut the mustard anymore. In an increasingly connected world, with the Internet of Things moving from buzzword to reality, businesses need to proactively monitor their data flows to prevent costly data breaches. However, many large organisations still wait for something to go wrong before addressing the flaws in their security strategies; a move that backfired in some of the most infamous security breaches of 2014.

“This year, connected devices will not only work their way into our daily lives but also our enterprises. BYOD will quickly evolve into BYOIoT, with employees bringing wearable devices into the work place. For such increased enterprise mobility to open windows of opportunities for businesses, without paving the way for hackers to access private data, security must evolve at the same rate as the devices themselves. Organisations also need to know what data employees are bringing into and taking out of the office to ensure that malicious attacks and conspicuous activity is blocked.”

“This year’s Data Protection/Privacy Day is more important than ever. According to a report by the Identity Theft Resource Center, 2014 saw a 24.8 percent increase in reported breaches compared with the previous twelve months. It’s not for a lack of legislation either. While perhaps not perfect, there are strict laws in place to protect data. So what’s going wrong?

“While penalties for failing to comply with legislation are an incentive, in itself compliance is not the silver bullet – PCI DSS is testament to that. Today’s information security landscape is plagued with vulnerabilities that leave companies, and all too often the personal information of individuals, exposed to the potential of a breach.

“Instead, what’s needed is a fresh approach to network and application security that helps to remove some of the gaps, both internal and external, that lead to data leaking out.

“My advice to data protection knowledge seekers is that our 2015 security practices need to take a different approach, as the old ones do not appear to be working. Giving users access to everything is no longer a viable option with malware attacks and other vulnerabilities allowing hackers to gain entry unnoticed. Companies need to layer their defences to ensure that they limit what users can see once within the walls of the trusted network, based on who they are and other important variables, and then control what they can do with sensitive information.

“This will not only help prevent outside attacks but also mitigate risks created by the more unassuming threat, users themselves.”

Despite today’s fire-and-brimstone headlines about data breaches, the problem with cyber security is that nobody is feeling the pain of the problem. Consumers know their credit cards will be replaced and they will not be responsible for financial losses. Breached companies know their stock prices will bounce right back and consumers will continue shopping at their stores. And government regulations in this country speak for themselves – they simply are not a prescription for security.

The fact is, whether or not you’re feeling the pain of the problem, you will be better off staying safe online and avoiding security risks where possible. With that in mind, here are 3 areas to be cautious of:

Be smart about your passwords: This means you should refrain from using the same password across multiple accounts. By doing this you prevent cross pollination – where cyber criminals use the same password details to facilitate data breaches across multiple organisations. Of course with so many online accounts and different passwords to remember, it’s challenging to remember a different one for each, so even better would be to replace these with One-Time Password (OTP) authentication. In my opinion, there’s no such thing as a strong password – static passwords all carry the risk of being hacked. OTP technology is the strongest protection for users. It can generate highly secure one-time passwords to authenticate users, often they will just have to remember a PIN number in order to retrieve a new password.

Free Wi-Fi: You know the saying, there’s no such thing as a free lunch? I like to think it’s the same with Wi-Fi. I recently demonstrated in a 5 News investigation how easy it is to hack into a coffee shop’s free Wi-Fi and gain access to the devices connected to it and view their email addresses, bank account details and other locations they connect to the internet to – be that home or work. All this without their knowledge. Therefore, people must be more cautious about connecting to public Wi-Fi and the security risks of doing so.

Mobile security: Mobile devices are becoming a popular target for hackers. This is hardly a surprise given so many of us have between 1 and 3 of them, and they are increasingly used to store sensitive work files and personal information. The challenge with these devices is that because they connect to the cloud, data ends up being stored in multiple places (the cloud, the mobile, etc.) and this gives the hackers multiple attack points to use. Therefore, unless security controls are in place and companies understand the location of where the data is being stored; there is a greater risk that these devices or their data could be breached.